A system and method for malicious lateral movement detection. A method includes identifying atomic tunnels in packets sent between devices; identifying tunnel constructs; determining a potentially malicious atomic tunnel among the atomic tunnels by comparing edges of each of the atomic tunnels to edges of previously observed tunnel constructs; determining a potentially malicious tunnel including the potentially malicious atomic tunnel; and mitigating the potentially malicious tunnel. Each atomic tunnel is a structure representing communications among the devices defined with respect to at least three nodes and at least two edges. Each node represents a respective device, and each edge represents a connection between two of the devices. Each atomic tunnel has two hops, where each hop is a level of communication in which a packet is sent from one device to another device. Each tunnel construct is a structure including at least one of the atomic tunnels.
A system and method for anomaly detection. A method includes recursively partitioning a sample of device activity data including deterministic characteristics of a population of devices over iterations in order to create partitions. Each iteration includes determining a split density metric for a candidate subpopulation created by splitting a portion of the population with respect to a corresponding type of deterministic characteristic. The split density metric for the candidate subpopulation is determined based on a density value of the candidate subpopulation and a coverage value of the corresponding type of deterministic characteristic. The partitions include each candidate subpopulation meeting a split density metric threshold. A baseline for each of the partitions is established based on device activity for devices represented in device activity data of the partition. An anomaly is detected based on behavior of a device and the baseline established for a partition corresponding to the device.
H04L 43/08 - Surveillance ou test en fonction de métriques spécifiques, p. ex. la qualité du service [QoS], la consommation d’énergie ou les paramètres environnementaux
3.
SYSTEM AND METHOD FOR OPERATING SYSTEM DISTRIBUTION AND VERSION IDENTIFICATION USING COMMUNICATIONS SECURITY FINGERPRINTS
A system and method for inferring an operating system version for a device based on communications security data. A method includes identifying a plurality of sequences in communications security data sent by the device; determining an operating system type of an operating system used by the device based on the identified plurality of sequences; applying a version-identifying model to the identified plurality of sequences, wherein the version-identifying model is a machine learning model trained to output a version identifier, wherein the applied version-identifying model is associated with the determined operating system type; and determining the operating system version of the device based on the output of the version-identifying model.
A system and method for vulnerability detection. A method includes: tokenizing device attribute data for a device into at least one set of first tokens, wherein each of the first tokens is formatted according to a token schema; creating at least one device attribute string, each device attribute string including one of the first tokens; matching each of the at least one device attribute string to combinations of device attributes stored in a vulnerabilities database in order to identify at least one matching combination of device attributes for the device, wherein the vulnerabilities database stores mappings between combinations of device attributes and vulnerabilities, wherein each combination of device attributes in the vulnerabilities database includes second tokens formatted according to the token schema; detecting at least one vulnerability of the device based on the at least one matching combination of device attributes and the mappings in the vulnerabilities database.
G06F 21/73 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du calcul ou du traitement de l’information par création ou détermination de l’identification de la machine, p. ex. numéros de série
G06F 16/14 - Détails de la recherche de fichiers basée sur les métadonnées des fichiers
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
This disclosure relates to systems, methods, and devices for identifying anomalous network activity. In some embodiments, a baseline model is used for identifying anomalous network activity. In some embodiments, anomalous network activity is detected based on a z-score, modified z-score, or both being above respective thresholds when compared to the baseline. In some embodiments, multiple baseline models are used, and anomalous network activity is detected when multiple baseline models identify a network activity session as anomalous. In some embodiments, two baseline models are used.
This disclosure relates to systems, methods, and devices for identifying anomalous network activity. In some embodiments, a baseline model is used for identifying anomalous network activity. In some embodiments, anomalous network activity is detected based on a z-score, modified z-score, or both being above respective thresholds when compared to the baseline. In some embodiments, multiple baseline models are used, and anomalous network activity is detected when multiple baseline models identify a network activity session as anomalous. In some embodiments, two baseline models are used.
A system and method for detecting abnormal device traffic behavior. The method includes creating a baseline clustering model for a device based on a training data set including traffic data for the device, wherein the baseline clustering model includes a plurality of clusters, each cluster representing a discrete state and including a plurality of first data points of the training data set; sampling a plurality of second data points with respect to windows of time in order to create at least one sample, each sample including at least a portion of the plurality of second data points, wherein the plurality of second data points are related to traffic involving the device; and detecting anomalous traffic behavior of the device based on the at least one sample and the baseline clustering model.
The present disclosure provides systems and methods for asset identification and consolidation in a network. In some implementations, the methods involve receiving data including a plurality of media access control (MAC) addresses from at least one source, analyzing the received MAC addresses to determine one or more MAC addresses that are repeated in the received data, and labeling the repeated MAC addresses as weak identifiers for asset identification. Some implementations herein enable improved accuracy in identifying and consolidating network assets by distinguishing between reliable and unreliable identifiers, thereby enhancing network security and management capabilities.
H04L 41/16 - Dispositions pour la maintenance, l’administration ou la gestion des réseaux de commutation de données, p. ex. des réseaux de commutation de paquets en utilisant l'apprentissage automatique ou l'intelligence artificielle
H04L 101/622 - Adresses de couche 2, p. ex. adresses de contrôle d'accès au support [MAC]
H04L 69/22 - Analyse syntaxique ou évaluation d’en-têtes
The present disclosure provides systems and methods for asset identification and consolidation in a network. In some implementations, the methods involve receiving data including a plurality of media access control (MAC) addresses from at least one source, analyzing the received MAC addresses to determine one or more MAC addresses that are repeated in the received data, and labeling the repeated MAC addresses as weak identifiers for asset identification. Some implementations herein enable improved accuracy in identifying and consolidating network assets by distinguishing between reliable and unreliable identifiers, thereby enhancing network security and management capabilities.
The present disclosure relates to systems and methods for determining comprehensive and asset vulnerability ratings using models such as artificial intelligence (AI) and machine learning (ML) models. These models can identify relevant attributes, optimize attribute values, and determine logical relationships between attributes. The term "model" encompasses various types of AI and ML models, including neural networks, language models, multimodal models, and others. Models can be trained using supervised learning with labeled data to predict or classify new data items. The models can be locally hosted, cloud-managed, or accessed via APIs, and can be implemented in electronic hardware such as computer processors.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
A system and method for inferring device types. A method includes selecting a device type inference model from among a plurality of device type inference models based on a manufacturer of a device, wherein each device type inference model corresponds to a respective manufacturer and is trained using training data of devices manufactured by the respective manufacturer, wherein each device type inference model is trained to output a device type prediction; and determining an inferred device type for the device, wherein determining the inferred device type for the device further comprises applying the selected device type inference model to a plurality of features, wherein the plurality of features is extracted from device activity data indicating ports used by the device and at least one volume of traffic communicated via each port used by the device.
The present disclosure relates to systems and methods for determining comprehensive and asset vulnerability ratings using models such as artificial intelligence (AI) and machine learning (ML) models. These models can identify relevant attributes, optimize attribute values, and determine logical relationships between attributes. The term “model” encompasses various types of AI and ML models, including neural networks, language models, multimodal models, and others. Models can be trained using supervised learning with labeled data to predict or classify new data items. The models can be locally hosted, cloud-managed, or accessed via APIs, and can be implemented in electronic hardware such as computer processors.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/56 - Détection ou gestion de programmes malveillants, p. ex. dispositions anti-virus
13.
Techniques for securing network environments by identifying device attributes based on string field conventions
A system and method for identifying device attributes based on string field conventions. A method includes applying at least one machine learning model to an application data set extracted based on a string indicated in a field of device data corresponding to a device, wherein each of the at least one machine learning model is trained based on a training data set including a plurality of second strings and a plurality of device attribute labels, wherein each device attribute label corresponds to a respective second string of the plurality of second strings, wherein each of the at least one machine learning model is configured to output a predicted device attribute for the device based on the first string; and identifying, based on the output of the at least one machine learning model, a device attribute of the device.
G06F 21/51 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade du chargement de l’application, p. ex. en acceptant, en rejetant, en démarrant ou en inhibant un logiciel exécutable en fonction de l’intégrité ou de la fiabilité de la source
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
14.
Techniques for enriching device profiles and mitigating cybersecurity threats using enriched device profiles
Systems and methods for device profile enrichment. A method includes determining a plurality of distributions of device attributes with respect to a plurality of fields of a predefined device profile schema; generating a plurality of inference rules based on the plurality of distributions of device attributes, wherein each inference rule indicates at least one required device attribute and at least one inferred device attribute; creating an ordered set of inference rules including the plurality of inference rules organized with respect to a plurality of scores, each score corresponding to one of the plurality of inference rules, wherein the score for each inference rule is determined based on the at least one required device attribute of the inference rule; and enriching at least one device profile by iterating the ordered set of inference rules, wherein enriching a device profile includes adding at least one device attribute value to the device profile.
A system and method for mitigating cyber security threats by devices using risk factors. The method includes determining a plurality of risk factors for a device based on a plurality of risk behaviors indicated by network activity and information of the device, wherein the plurality of risk behaviors includes observed risk behaviors and assumed risk behaviors, wherein the observed risk behaviors are indicated by data related to network activity by the device, wherein the assumed risk behaviors are extrapolated based on known contextual information related to the device; determining a risk score for the device based on the plurality of risk factors and a plurality of weights, wherein each of the plurality of weights is applied to one of the plurality of risk factors; and performing at least one mitigation action based on the risk score.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
16.
System and method for determining device attributes using a classifier hierarchy
A system and method for determining device attributes using a classifier hierarchy. The method includes: sequentially applying a plurality of sub-models of a hierarchy to a plurality of features extracted from device activity data, wherein the sequential application ends with applying a last sub-model of the plurality of sub-models, wherein each sub-model includes a plurality of classifiers, wherein each sub-model outputs a class when applied to at least a portion of the plurality of features, wherein each class is a classifier output representing a device attribute, wherein applying the plurality of sub-models further comprises iteratively determining a next sub-model to apply based on the class output by a most recently applied sub-model and the hierarchy; and determining a device attribute based on the class output by the last sub-model.
G06F 18/2113 - Sélection du sous-ensemble de caractéristiques le plus significatif en classant ou en filtrant l'ensemble des caractéristiques, p. ex. en utilisant une mesure de la variance ou de la corrélation croisée des caractéristiques
G06F 18/213 - Extraction de caractéristiques, p. ex. en transformant l'espace des caractéristiquesSynthétisationsMappages, p. ex. procédés de sous-espace
G06F 18/214 - Génération de motifs d'entraînementProcédés de Bootstrapping, p. ex. ”bagging” ou ”boosting”
H04L 43/0817 - Surveillance ou test en fonction de métriques spécifiques, p. ex. la qualité du service [QoS], la consommation d’énergie ou les paramètres environnementaux en vérifiant la disponibilité en vérifiant le fonctionnement
G06V 30/24 - Reconnaissance de caractères caractérisée par la méthode de traitement ou de reconnaissance
17.
Techniques for resolving contradictory device profiling data
A system and method for resolving contradictory device profiling data. The method includes: determining a set of non-contradicting values and a set of contradicting values in device profiling data related to a device based on a plurality of conflict rules; merging values of the set of non-contradicting values in device profiling data into at least one first value; selecting at least one second value from the set of contradicting values, wherein selecting one of the at least one second value from each set of contradicting values further includes generating a certainty score corresponding to each value of the set of contradicting values, wherein each certainty score indicates a likelihood that the corresponding value is accurate, wherein the at least one second value is selected based on the certainty scores; and creating a device profile based on the at least one first value and the at least one second value.
A system and method for anomaly interpretation and mitigation. A method includes extracting at least one input feature vector from observation data related to an observation; applying an isolation forest to the at least one input feature vector, wherein the isolation forest includes a plurality of estimators, wherein each estimator is a decision tree, wherein the output of each estimator is a split-path of a plurality of split-paths, each split-path having a path-length and including name and a corresponding value for a respective output feature of a plurality of output features; generating a mapping object based on the application of the isolation forest to the at least one feature vector, wherein the mapping object includes the plurality of split-paths; clipping the mapping object based on the path-length of each split-path; and determining at least one mitigation action based on the clipped mapping object.
A method and system for detecting vulnerable wireless networks coexisting in a wireless environment of an organization are provided. The method includes receiving intercepted traffic, wherein the intercepted traffic is transmitted by at least one wireless device operable in an airspace of the wireless environment, wherein the intercepted traffic is transported using at least one type of wireless protocol; analyzing the received traffic to detect at least one active connection between a legitimate wireless device of the at least one wireless device and at least one unknown wireless device, wherein the legitimate wireless device is at least legitimately authorized to access a protected computing resource of the organization; and determining if the at least one detected active connection forms a vulnerable wireless network.
A system and method for anomaly detection. A method includes recursively partitioning a sample of device activity data including deterministic characteristics of a population of devices over iterations in order to create partitions. Each iteration includes determining a split density metric for a candidate subpopulation created by splitting a portion of the population with respect to a corresponding type of deterministic characteristic. The split density metric for the candidate subpopulation is determined based on a density value of the candidate subpopulation and a coverage value of the corresponding type of deterministic characteristic. The partitions include each candidate subpopulation meeting a split density metric threshold. A baseline for each of the partitions is established based on device activity for devices represented in device activity data of the partition. An anomaly is detected based on behavior of a device and the baseline established for a partition corresponding to the device.
A system and method for anomaly detection. A method includes recursively partitioning a sample of device activity data including deterministic characteristics of a population of devices over iterations in order to create partitions. Each iteration includes determining a split density metric for a candidate subpopulation created by splitting a portion of the population with respect to a corresponding type of deterministic characteristic. The split density metric for the candidate subpopulation is determined based on a density value of the candidate subpopulation and a coverage value of the corresponding type of deterministic characteristic. The partitions include each candidate subpopulation meeting a split density metric threshold. A baseline for each of the partitions is established based on device activity for devices represented in device activity data of the partition. An anomaly is detected based on behavior of a device and the baseline established for a partition corresponding to the device.
H04L 43/08 - Surveillance ou test en fonction de métriques spécifiques, p. ex. la qualité du service [QoS], la consommation d’énergie ou les paramètres environnementaux
22.
MALICIOUS LATERAL MOVEMENT DETECTION USING REMOTE SYSTEM PROTOCOLS
A system and method for malicious lateral movement detection. A method includes identifying atomic tunnels in packets sent between devices; identifying tunnel constructs; determining a potentially malicious atomic tunnel among the atomic tunnels by comparing edges of each of the atomic tunnels to edges of previously observed tunnel constructs; determining a potentially malicious tunnel including the potentially malicious atomic tunnel; and mitigating the potentially malicious tunnel. Each atomic tunnel is a structure representing communications among the devices defined with respect to at least three nodes and at least two edges. Each node represents a respective device, and each edge represents a connection between two of the devices. Each atomic tunnel has two hops, where each hop is a level of communication in which a packet is sent from one device to another device. Each tunnel construct is a structure including at least one of the atomic tunnels.
A system and method for malicious lateral movement detection. A method includes identifying atomic tunnels in packets sent between devices; identifying tunnel constructs; determining a potentially malicious atomic tunnel among the atomic tunnels by comparing edges of each of the atomic tunnels to edges of previously observed tunnel constructs; determining a potentially malicious tunnel including the potentially malicious atomic tunnel; and mitigating the potentially malicious tunnel. Each atomic tunnel is a structure representing communications among the devices defined with respect to at least three nodes and at least two edges. Each node represents a respective device, and each edge represents a connection between two of the devices. Each atomic tunnel has two hops, where each hop is a level of communication in which a packet is sent from one device to another device. Each tunnel construct is a structure including at least one of the atomic tunnels.
A system and method for determining device attributes based on host configuration protocols. A method includes identifying queries of interest among an application data set including queries for computer address data sent by at least one device, wherein each query of interest meets a respective threshold of at least one threshold for each of the at least one score output by a machine learning model, wherein the machine learning model is trained to output at least one score with respect to statistical properties of queries for computer address data; determining prediction thresholds by applying the machine learning model to a validation data set, wherein each prediction threshold corresponds to a respective output of the machine learning model; and determining, based on the prediction thresholds and the scores output by the machine learning model for the identified queries of interest when applied to the application dataset, device attributes for the device.
H04L 61/5014 - Adresses de protocole Internet [IP] en utilisant le protocole de configuration dynamique de l'hôte [DHCP] ou le protocole d'amorçage [BOOTP]
A system and method for vulnerability detection. A method includes: tokenizing device attribute data for a device into at least one set of first tokens, wherein each of the first tokens is formatted according to a token schema; creating at least one device attribute string, each device attribute string including one of the first tokens; matching each of the at least one device attribute string to combinations of device attributes stored in a vulnerabilities database in order to identify at least one matching combination of device attributes for the device, wherein the vulnerabilities database stores mappings between combinations of device attributes and vulnerabilities, wherein each combination of device attributes in the vulnerabilities database includes second tokens formatted according to the token schema; detecting at least one vulnerability of the device based on the at least one matching combination of device attributes and the mappings in the vulnerabilities database.
G06F 16/25 - Systèmes d’intégration ou d’interfaçage impliquant les systèmes de gestion de bases de données
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
26.
System and method for detecting cybersecurity vulnerabilities via device attribute resolution
A system and method for vulnerability detection. A method includes: tokenizing device attribute data for a device into at least one set of first tokens, wherein each of the first tokens is formatted according to a token schema; creating at least one device attribute string, each device attribute string including one of the first tokens; matching each of the at least one device attribute string to combinations of device attributes stored in a vulnerabilities database in order to identify at least one matching combination of device attributes for the device, wherein the vulnerabilities database stores mappings between combinations of device attributes and vulnerabilities, wherein each combination of device attributes in the vulnerabilities database includes second tokens formatted according to the token schema; detecting at least one vulnerability of the device based on the at least one matching combination of device attributes and the mappings in the vulnerabilities database.
G06F 21/73 - Protection de composants spécifiques internes ou périphériques, où la protection d'un composant mène à la protection de tout le calculateur pour assurer la sécurité du calcul ou du traitement de l’information par création ou détermination de l’identification de la machine, p. ex. numéros de série
G06F 16/14 - Détails de la recherche de fichiers basée sur les métadonnées des fichiers
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
H04L 9/32 - Dispositions pour les communications secrètes ou protégéesProtocoles réseaux de sécurité comprenant des moyens pour vérifier l'identité ou l'autorisation d'un utilisateur du système
A system and method for determining device attributes based on host configuration protocols. A method includes applying at least one machine learning model to a test data set extracted from host configuration protocol data including at least one test options sequence, wherein each test options sequence is an ordered series of options requested by a first device, wherein each of the at least one machine learning model is trained based on a train data set including a plurality of training options sequences and a plurality of device attributes, wherein each training options sequence and each device attribute of the train data set corresponds to a respective second device; and determining, based on the output of the at least one machine learning model, at least one device attribute for the first device.
A system and method for determining device attributes based on host configuration protocols. A method includes applying at least one machine learning model to a test data set extracted from host configuration protocol data including at least one test options sequence, wherein each test options sequence is an ordered series of options requested by a first device, wherein each of the at least one machine learning model is trained based on a train data set including a plurality of training options sequences and a plurality of device attributes, wherein each training options sequence and each device attribute of the train data set corresponds to a respective second device; and determining, based on the output of the at least one machine learning model, at least one device attribute for the first device.
A system and method for determining device attributes based on protocol string conventions. A method includes applying at least one machine learning model to an application data set extracted based on at least one first pair of strings, each first pair of strings including a protocol string and a key string indicated in respective fields of communications session data corresponding to a device, wherein each machine learning model is trained based on a training data set including second pairs of strings device attribute labels, wherein each device attribute label corresponds to one of the second pairs of strings, wherein each of the at least one machine learning model is configured to output a predicted device attribute for the device based on the first pair of strings; and determining, based on the output of the at least one machine learning model, at least one device attribute of the device.
A system and method for determining device attributes based on protocol string conventions. A method includes applying at least one machine learning model to an application data set extracted based on at least one first pair of strings, each first pair of strings including a protocol string and a key string indicated in respective fields of communications session data corresponding to a device, wherein each machine learning model is trained based on a training data set including second pairs of strings device attribute labels, wherein each device attribute label corresponds to one of the second pairs of strings, wherein each of the at least one machine learning model is configured to output a predicted device attribute for the device based on the first pair of strings; and determining, based on the output of the at least one machine learning model, at least one device attribute of the device.
A system and method for inferring device types. A method includes selecting a device type inference model from among a plurality of device type inference models based on a manufacturer of a device, wherein each device type inference model corresponds to a respective manufacturer and is trained using training data of devices manufactured by the respective manufacturer, wherein each device type inference model is trained to output a device type prediction; and determining an inferred device type for the device, wherein determining the inferred device type for the device further comprises applying the selected device type inference model to a plurality of features, wherein the plurality of features is extracted from device activity data indicating ports used by the device and at least one volume of traffic communicated via each port used by the device.
A system and method for inferring device types. A method includes selecting a device type inference model from among a plurality of device type inference models based on a manufacturer of a device, wherein each device type inference model corresponds to a respective manufacturer and is trained using training data of devices manufactured by the respective manufacturer, wherein each device type inference model is trained to output a device type prediction; and determining an inferred device type for the device, wherein determining the inferred device type for the device further comprises applying the selected device type inference model to a plurality of features, wherein the plurality of features is extracted from device activity data indicating ports used by the device and at least one volume of traffic communicated via each port used by the device.
Systems and methods for device profile enrichment. A method includes determining a plurality of distributions of device attributes with respect to a plurality of fields of a predefined device profile schema; generating a plurality of inference rules based on the plurality of distributions of device attributes, wherein each inference rule indicates at least one required device attribute and at least one inferred device attribute; creating an ordered set of inference rules including the plurality of inference rules organized with respect to a plurality of scores, each score corresponding to one of the plurality of inference rules, wherein the score for each inference rule is determined based on the at least one required device attribute of the inference rule; and enriching at least one device profile by iterating the ordered set of inference rules, wherein enriching a device profile includes adding at least one device attribute value to the device profile.
Systems and methods for device profile enrichment. A method includes determining a plurality of distributions of device attributes with respect to a plurality of fields of a predefined device profile schema; generating a plurality of inference rules based on the plurality of distributions of device attributes, wherein each inference rule indicates at least one required device attribute and at least one inferred device attribute; creating an ordered set of inference rules including the plurality of inference rules organized with respect to a plurality of scores, each score corresponding to one of the plurality of inference rules, wherein the score for each inference rule is determined based on the at least one required device attribute of the inference rule; and enriching at least one device profile by iterating the ordered set of inference rules, wherein enriching a device profile includes adding at least one device attribute value to the device profile.
A system and method for machine learning features validation. A method includes: performing statistical testing on a plurality of pairs of features, each pair of features including a test feature of a plurality of test features extracted from a first data set and a corresponding training feature extracted from a second data set during a training phase for a machine learning model, wherein the statistical testing is performed under a null hypothesis that the first data set and the second data set are drawn from a same continuous distribution, wherein performing the statistical testing further comprises determining a degree to which each test feature of the plurality of pairs of features deviates from the corresponding training feature; and determining, based on the degree to which each test feature of the plurality of pairs of features deviates from the corresponding training feature, whether the plurality of test features is validated.
A system and method for machine learning model validation. A method includes: determining a first score distribution for a first run of a machine learning model and a second score distribution for a second run of the machine learning model, wherein the first run includes applying the machine learning model to a first test dataset, wherein the second run includes applying the machine learning model to a second test dataset, wherein the second test dataset is collected after the first test dataset; comparing the first score distribution to the second score distribution; determining, based on the comparison, whether the machine learning model is validated; continuing use of the machine learning model when it is determined that the machine learning model is validated; and performing at least one rehabilitative action with respect to the machine learning model when it is determined that the machine learning model is not validated.
A system and method for machine learning features validation. A method includes: performing statistical testing on a plurality of pairs of features, each pair of features including a test feature of a plurality of test features extracted from a first data set and a corresponding training feature extracted from a second data set during a training phase for a machine learning model, wherein the statistical testing is performed under a null hypothesis that the first data set and the second data set are drawn from a same continuous distribution, wherein performing the statistical testing further comprises determining a degree to which each test feature of the plurality of pairs of features deviates from the corresponding training feature; and determining, based on the degree to which each test feature of the plurality of pairs of features deviates from the corresponding training feature, whether the plurality of test features is validated.
A system and method for machine learning model validation. A method includes: determining a first score distribution for a first run of a machine learning model and a second score distribution for a second run of the machine learning model, wherein the first run includes applying the machine learning model to a first test dataset, wherein the second run includes applying the machine learning model to a second test dataset, wherein the second test dataset is collected after the first test dataset; comparing the first score distribution to the second score distribution; determining, based on the comparison, whether the machine learning model is validated; continuing use of the machine learning model when it is determined that the machine learning model is validated; and performing at least one rehabilitative action with respect to the machine learning model when it is determined that the machine learning model is not validated.
A system and method for determining device attributes using a classifier hierarchy. The method includes determining exploitation conditions for a manufacturing device based on a first set of device attributes of the manufacturing device and a second set of device attributes indicated in a vulnerabilities database; analyzing behavior and configuration of the manufacturing device to detect an exploitable vulnerability for the manufacturing device, wherein the exploitable vulnerability is a behavior or configuration of the manufacturing device which meets the exploitation conditions; and performing mitigation actions based on the exploitable vulnerability. The vulnerabilities database further indicates known exploits for the second set of device attributes. Analyzing the behavior and configuration of the manufacturing device includes identifying that a port is open and querying a vulnerability scanner for identifying information of the open port, wherein the currently exploitable vulnerability is detected based further on the identifying information of the open port.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06N 5/04 - Modèles d’inférence ou de raisonnement
A system and method for identifying device attributes based on string field conventions. A method includes applying at least one machine learning model to an application data set extracted based on a string indicated in a field of device data corresponding to a device, wherein each of the at least one machine learning model is trained based on a training data set including a plurality of second strings and a plurality of device attribute labels, wherein each device attribute label corresponds to a respective second string of the plurality of second strings, wherein each of the at least one machine learning model is configured to output a predicted device attribute for the device based on the first string; and identifying, based on the output of the at least one machine learning model, a device attribute of the device.
G06F 21/51 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation au stade du chargement de l’application, p. ex. en acceptant, en rejetant, en démarrant ou en inhibant un logiciel exécutable en fonction de l’intégrité ou de la fiabilité de la source
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
41.
TECHNIQUES FOR SECURING NETWORK ENVIRONMENTS BY IDENTIFYING DEVICE ATTRIBUTES BASED ON STRING FIELD CONVENTIONS
A system and method for identifying device attributes based on string field conventions. A method includes applying at least one machine learning model to an application data set extracted based on a string indicated in a field of device data corresponding to a device, wherein each of the at least one machine learning model is trained based on a training data set including a plurality of second strings and a plurality of device attribute labels, wherein each device attribute label corresponds to a respective second string of the plurality of second strings, wherein each of the at least one machine learning model is configured to output a predicted device attribute for the device based on the first string; and identifying, based on the output of the at least one machine learning model, a device attribute of the device.
A system and method for determining device attributes using a classifier hierarchy. The method includes: determining at least one exploitation condition for a medical device based on at least one first device attribute of the medical device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the medical device, wherein the exploitable vulnerability is a behavior or configuration of the medical device which meets the at least one exploitation condition; and performing at least one mitigation action based on the exploitable vulnerability.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
A system and method for detecting abnormal device traffic behavior. The method includes creating a baseline clustering model for a device based on a training data set including traffic data for the device, wherein the baseline clustering model includes a plurality of clusters, each cluster representing a discrete state and including a plurality of first data points of the training data set; sampling a plurality of second data points with respect to windows of time in order to create at least one sample, each sample including at least a portion of the plurality of second data points, wherein the plurality of second data points are related to traffic involving the device; and detecting anomalous traffic behavior of the device based on the at least one sample and the baseline clustering model.
A system and method for detecting abnormal device traffic behavior. The method includes creating a baseline clustering model for a device based on a training data set including traffic data for the device, wherein the baseline clustering model includes a plurality of clusters, each cluster representing a discrete state and including a plurality of first data points of the training data set; sampling a plurality of second data points with respect to windows of time in order to create at least one sample, each sample including at least a portion of the plurality of second data points, wherein the plurality of second data points are related to traffic involving the device; and detecting anomalous traffic behavior of the device based on the at least one sample and the baseline clustering model.
G06F 21/00 - Dispositions de sécurité pour protéger les calculateurs, leurs composants, les programmes ou les données contre une activité non autorisée
G06F 16/28 - Bases de données caractérisées par leurs modèles, p. ex. des modèles relationnels ou objet
A system and method for inferring an operating system version for a device based on communications security data. A method includes identifying a plurality of sequences in communications security data sent by the device; determining an operating system type of an operating system used by the device based on the identified plurality of sequences; applying a version-identifying model to the identified plurality of sequences, wherein the version-identifying model is a machine learning model trained to output a version identifier, wherein the applied version-identifying model is associated with the determined operating system type; and determining the operating system version of the device based on the output of the version-identifying model.
A system and method for mitigating cyber security threats by devices using risk factors. The method includes determining a plurality of risk factors for a device based on a plurality of risk behaviors indicated by network activity and information of the device, wherein the plurality of risk behaviors includes observed risk behaviors and assumed risk behaviors, wherein the observed risk behaviors are indicated by data related to network activity by the device, wherein the assumed risk behaviors are extrapolated based on known contextual information related to the device; determining a risk score for the device based on the plurality of risk factors and a plurality of weights, wherein each of the plurality of weights is applied to one of the plurality of risk factors; and performing at least one mitigation action based on the risk score.
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
47.
SYSTEM AND METHOD FOR SECURING NETWORKS BASED ON CATEGORICAL FEATURE DISSIMILARITIES
A system and method for detecting deviations from baseline behavior patterns for categorical features. A method includes determining a first discrete probability distribution for a categorical variable based on a first set of network activity data; determining a second discrete probability distribution for a unique observation based on a second set of network activity data; comparing the second discrete probability distribution to the first discrete probability distribution by applying a distance function to the first and second discrete probability distributions, wherein an output of the distance function is a scalar value representing a difference between the first and second discrete probability distributions; determining whether the scalar value is above a threshold; detecting an anomaly with respect to the categorical variable when the scalar value is above the threshold; and determining that a behavior with respect to the categorical variable is normal when the scalar value is not above the threshold.
A system and method for detecting deviations from baseline behavior patterns for categorical features. A method includes determining a first discrete probability distribution for a categorical variable based on a first set of network activity data; determining a second discrete probability distribution for a unique observation based on a second set of network activity data; comparing the second discrete probability distribution to the first discrete probability distribution by applying a distance function to the first and second discrete probability distributions, wherein an output of the distance function is a scalar value representing a difference between the first and second discrete probability distributions; determining whether the scalar value is above a threshold; detecting an anomaly with respect to the categorical variable when the scalar value is above the threshold; and determining that a behavior with respect to the categorical variable is normal when the scalar value is not above the threshold.
A system and method for anomaly interpretation and mitigation. A method includes extracting at least one input feature vector from observation data related to an observation; applying an isolation forest to the at least one input feature vector, wherein the isolation forest includes a plurality of estimators, wherein each estimator is a decision tree, wherein the output of each estimator is a split-path of a plurality of split-paths, each split-path having a path-length and including name and a corresponding value for a respective output feature of a plurality of output features; generating a mapping object based on the application of the isolation forest to the at least one feature vector, wherein the mapping object includes the plurality of split-paths; clipping the mapping object based on the path-length of each split-path; and determining at least one mitigation action based on the clipped mapping object.
A system and method for anomaly interpretation and mitigation. A method includes extracting at least one input feature vector from observation data related to an observation; applying an isolation forest to the at least one input feature vector, wherein the isolation forest includes a plurality of estimators, wherein each estimator is a decision tree, wherein the output of each estimator is a split-path of a plurality of split-paths, each split-path having a path-length and including name and a corresponding value for a respective output feature of a plurality of output features; generating a mapping object based on the application of the isolation forest to the at least one feature vector, wherein the mapping object includes the plurality of split-paths; clipping the mapping object based on the path-length of each split-path; and determining at least one mitigation action based on the clipped mapping object.
A system and method for inferring device models. The method includes determining block statistics for each block of a plurality of blocks of a plurality of media access control (MAC) addresses, the plurality of blocks having a plurality of respective prefixes, wherein the plurality of blocks are grouped based on commonalities among the plurality of respective prefixes; generating an aggregated statistical model for the plurality of blocks based on the plurality of MAC addresses and the block statistics, wherein each block is a string of digits included in one of the plurality of MAC addresses; and applying the aggregated statistical model to the block statistics of at least one block of the plurality of blocks in order to determine at least one inferred device model, wherein each of the at least one block is grouped into the same group.
A system and method for inferring device models. The method includes determining block statistics for each block of a plurality of blocks of a plurality of media access control (MAC) addresses, the plurality of blocks having a plurality of respective prefixes, wherein the plurality of blocks are grouped based on commonalities among the plurality of respective prefixes; generating an aggregated statistical model for the plurality of blocks based on the plurality of MAC addresses and the block statistics, wherein each block is a string of digits included in one of the plurality of MAC addresses; and applying the aggregated statistical model to the block statistics of at least one block of the plurality of blocks in order to determine at least one inferred device model, wherein each of the at least one block is grouped into the same group.
A system and method for determining device attributes using a classifier hierarchy. The method includes: determining at least one exploitation condition for a medical device based on at least one first device attribute of the medical device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the medical device, wherein the exploitable vulnerability is a behavior or configuration of the medical device which meets the at least one exploitation condition; and performing at least one mitigation action based on the exploitable vulnerability.
A system and method for determining device attributes using a classifier hierarchy. The method includes: determining at least one exploitation condition for a manufacturing device based on at least one first device attribute of the manufacturing device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the manufacturing device, wherein the exploitable vulnerability is a behavior or configuration of the manufacturing device which meets the at least one exploitation condition; and performing at least one mitigation action based on the exploitable vulnerability.
A system and method for determining device attributes using a classifier hierarchy. The method includes: determining at least one exploitation condition for a medical device based on at least one first device attribute of the medical device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the medical device, wherein the exploitable vulnerability is a behavior or configuration of the medical device which meets the at least one exploitation condition; and performing at least one mitigation action based on the exploitable vulnerability.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
A system and method for determining device attributes using a classifier hierarchy. The method includes: determining at least one exploitation condition for a manufacturing device based on at least one first device attribute of the manufacturing device and a plurality of second device attributes indicated in a vulnerabilities database, wherein the vulnerabilities database further indicates a plurality of known exploits for the plurality of second device attributes; analyzing behavior and configuration of the medical device to detect an exploitable vulnerability for the manufacturing device, wherein the exploitable vulnerability is a behavior or configuration of the manufacturing device which meets the at least one exploitation condition; and performing at least one mitigation action based on the exploitable vulnerability.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
G06F 21/55 - Détection d’intrusion locale ou mise en œuvre de contre-mesures
G06N 5/04 - Modèles d’inférence ou de raisonnement
A system and method for inferring device operating systems. A method includes applying a sequence-based model to an option-types sequence in order to output a plurality of first features, wherein each of the first features is a value representing a probability that the options-type sequence is associated with a respective operating system; applying a distribution dissimilarity model to metadata field distribution data extracted from the headers of the packets sent by the device in order to output a plurality of second features, wherein the plurality of second features includes a plurality of distances, wherein each distance is based on a difference between a distribution of values of each metadata field indicated in the metadata field distribution data; and applying an operating system inference model to the plurality of first features and the plurality of second features in order to output an inferred operating system for the device.
A system and method for determining device attributes using a classifier hierarchy. The method includes: sequentially applying a plurality of sub-models of a hierarchy to a plurality of features extracted from device activity data, wherein the sequential application ends with applying a last sub-model of the plurality of sub-models, wherein each sub-model includes a plurality of classifiers, wherein each sub-model outputs a class when applied to at least a portion of the plurality of features, wherein each class is a classifier output representing a device attribute, wherein applying the plurality of sub-models further comprises iteratively determining a next sub-model to apply based on the class output by a most recently applied sub-model and the hierarchy; and determining a device attribute based on the class output by the last sub-model.
A system and method for determining device attributes using a classifier hierarchy. The method includes: sequentially applying a plurality of sub-models of a hierarchy to a plurality of features extracted from device activity data, wherein the sequential application ends with applying a last sub-model of the plurality of sub-models, wherein each sub-model includes a plurality of classifiers, wherein each sub-model outputs a class when applied to at least a portion of the plurality of features, wherein each class is a classifier output representing a device attribute, wherein applying the plurality of sub-models further comprises iteratively determining a next sub-model to apply based on the class output by a most recently applied sub-model and the hierarchy; and determining a device attribute based on the class output by the last sub-model.
G06F 18/2113 - Sélection du sous-ensemble de caractéristiques le plus significatif en classant ou en filtrant l'ensemble des caractéristiques, p. ex. en utilisant une mesure de la variance ou de la corrélation croisée des caractéristiques
G06F 18/213 - Extraction de caractéristiques, p. ex. en transformant l'espace des caractéristiquesSynthétisationsMappages, p. ex. procédés de sous-espace
G06F 18/214 - Génération de motifs d'entraînementProcédés de Bootstrapping, p. ex. ”bagging” ou ”boosting”
H04L 43/0817 - Surveillance ou test en fonction de métriques spécifiques, p. ex. la qualité du service [QoS], la consommation d’énergie ou les paramètres environnementaux en vérifiant la disponibilité en vérifiant le fonctionnement
G06V 30/24 - Reconnaissance de caractères caractérisée par la méthode de traitement ou de reconnaissance
60.
TECHNIQUES FOR RESOLVING CONTRADICTORY DEVICE PROFILING DATA
A system and method for resolving contradictory device profiling data. The method includes: determining a set of non-contradicting values and a set of contradicting values in device profiling data related to a device based on a plurality of conflict rules; merging values of the set of non-contradicting values in device profiling data into at least one first value; selecting at least one second value from the set of contradicting values, wherein selecting one of the at least one second value from each set of contradicting values further includes generating a certainty score corresponding to each value of the set of contradicting values, wherein each certainty score indicates a likelihood that the corresponding value is accurate, wherein the at least one second value is selected based on the certainty scores; and creating a device profile based on the at least one first value and the at least one second value.
A system and method for resolving contradictory device profiling data. The method includes: determining a set of non-contradicting values and a set of contradicting values in device profiling data related to a device based on a plurality of conflict rules; merging values of the set of non-contradicting values in device profiling data into at least one first value; selecting at least one second value from the set of contradicting values, wherein selecting one of the at least one second value from each set of contradicting values further includes generating a certainty score corresponding to each value of the set of contradicting values, wherein each certainty score indicates a likelihood that the corresponding value is accurate, wherein the at least one second value is selected based on the certainty scores; and creating a device profile based on the at least one first value and the at least one second value.
A system and method for mitigating cyber security threats by devices using risk factors. The method includes determining a plurality of risk factors for a device based on a plurality of risk behaviors indicated by network activity and information of the device; determining a risk score for the device based on the plurality of risk factors and a plurality of weights, wherein each of the plurality of weights is applied to one of the plurality of risk factors; and performing at least one mitigation action based on the risk score.
G06F 21/50 - Contrôle des utilisateurs, des programmes ou des dispositifs de préservation de l’intégrité des plates-formes, p. ex. des processeurs, des micrologiciels ou des systèmes d’exploitation
H04L 29/14 - Contre-mesures pour remédier à un défaut
63.
System and method for mitigating cyber security threats by devices using risk factors
A system and method for mitigating cyber security threats by devices using risk factors. The method includes determining a plurality of risk factors for a device based on a plurality of risk behaviors indicated by network activity and information of the device; determining a risk score for the device based on the plurality of risk factors and a plurality of weights, wherein each of the plurality of weights is applied to one of the plurality of risk factors; and performing at least one mitigation action based on the risk score.
A method and system for detecting vulnerable wireless devices operating in a wireless environment of an organization are provided. The method includes identifying a plurality of wireless devices operable in the wireless environment; for each identified wireless device: receiving intercepted traffic transmitted by the wireless device, wherein the intercepted traffic is transported using at least one type of wireless protocol; analyzing the intercepted traffic to determine if the wireless device is vulnerable, wherein the analysis is performed using an at least one investigation action; computing a risk score based on results of each of the least one investigation action; determining, based on the computed risk scores, if the wireless device is as vulnerable; and generating an alert, when it is determined that the wireless device is vulnerable.
Certain embodiments disclosed herein include a method for detecting potential vulnerabilities in a wireless environment. The method comprises collecting, by a network sensor deployed in the wireless environment, at least wireless traffic data; analyzing the collected wireless traffic data to detect at least activity initiated by a wireless entity in the wireless environment; sending, to a control system, data indicating the detected wireless entity; and enforcing a security policy on the detected wireless entity based on instructions received from the control system.
G06F 21/57 - Certification ou préservation de plates-formes informatiques fiables, p. ex. démarrages ou arrêts sécurisés, suivis de version, contrôles de logiciel système, mises à jour sécurisées ou évaluation de vulnérabilité
Certain embodiments disclosed herein include a method for detecting potential vulnerabilities in a wireless environment. The method comprises collecting, by a network sensor deployed in the wireless environment, at least wireless traffic data; analyzing the collected wireless traffic data to detect at least activity initiated by a wireless entity in the wireless environment; sending, to a control system, data indicating the detected wireless entity; and enforcing a security policy on the detected wireless entity based on instructions received from the control system.
A method and system for detecting vulnerable wireless networks coexisting in a wireless environment of an organization are provided. The method includes receiving intercepted traffic, wherein the intercepted traffic is transmitted by at least one wireless device operable in an airspace of the wireless environment, wherein the intercepted traffic is transported using at least one type of wireless protocol; analyzing the received traffic to detect at least one active connection between a legitimate wireless device of the at least one wireless device and at least one unknown wireless device, wherein the legitimate wireless device is at least legitimately authorized to access a protected computing resource of the organization; and determining if the at least one detected active connection forms a vulnerable wireless network.
09 - Appareils et instruments scientifiques et électriques
42 - Services scientifiques, technologiques et industriels, recherche et conception
Produits et services
Computer software and hardware for use in the detection, analysis, mitigation and resolution of threats in the field of cyber security Software as a service (SAAS) services featuring software for use in the detection, analysis, mitigation and resolution of threats in the field of cyber security
